Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4.
{
"cwe_ids": [
"CWE-863"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30943.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.2.4"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_RANGE",
"REFERENCES"
]
}